from the things-will-get-worse-before-they-get...-worse dept

An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.

The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor amid legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.

Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.

Ruiu points out HP didn't pull out of the Canadian leg of Pwn2Own, most likely because Canada's implementation was more streamlined and well-written than Japan's, which he calls "vague and cumbersome." The loss of a major sponsor makes it that much harder for hackers to gather and for vulnerabilities to be exposed and fixed.

Loosely-worded implementations of the Agreement are only going to make general computing less secure. Those finding and using exploits for criminal reasons aren't going to comply with new directives any more than they comply with exisiting laws, so the only people really affected by these new rules will be those using their skills for good.

from the kicking-open-backdoors-and-charging-admission dept

Thanks to Snowden's leaks and a host of other information proceeding those, it's become clear that intelligence agencies -- despite their constant and loud "worrying" about cyberattacks -- are more than happy to make computers and the Internet itself less safe by purchasing, discovering and hoarding vulnerabilities. These are exploited to their fullest before being reported to the entities that can patch the holes. In the meantime, the NSA and others make use of security holes and vulnerabilities, leaving millions of members of the public exposed.

It may just be arrogance. Maybe these intelligence agencies believe they're the only ones with this access and, because they're ostensibly the "good guys," any collateral damage caused by unpatched vulnerabilities is acceptable. The other option is worse: they just don't care. Their "higher calling" -- the fight against terrorists and hackers -- is more important than the security of computer users around the world.

For three years, VUPEN held onto this, allowing the exploit of four straight Internet Explorer versions. IE may be losing its grasp on home users, but governments around the world still tend to opt for Microsoft's browser (along with its suite of productivity products). VUPEN finally notified Microsoft of this vulnerability en route to collecting $300,000 for this and other exploits its been hoarding. (Additional products affected include other widely-used programs like Adobe Flash and Adobe Reader.)

There can be little doubt that VUPEN turned out these vulnerabilities to whatever intelligence/law enforcement agency would have them during the last three years. Informing Microsoft of this flaw at the point of discovery just isn't a great way to make money. IE users were left unprotected against anyone who wished to exploit the same hole the security contractor had slapped a price tag on.

In March 2014, VUPEN has once again won the 1st place at the Pwn2Own 2014 security competition by creating and showing zero-day exploits for Google Chrome, Internet Explorer 11, Adobe Reader XI, Adobe Flash, and Mozilla Firefox. The exploits have fully bypassed all Windows 8.1 security protections and exploit mitigation in place, and all sandboxes. VUPEN has reported all the discovered zero-day vulnerabilities to the affected vendors to allow them fix the flaws and protect users from attacks.

The word "creating" implies it discovered these holes during the conference and immediately turned them over to the vendors. While it's true that the vendors can now "fix the flaws," the latter half of that sentence ("protect users from attacks") is only true going forward. There's no telling how many attacks occurred over the past months and years while VUPEN hawked its vulnerability stash.

But that's not even the most disingenuous part of VUPEN's pitches. This is:

If you can't read the text, it says:

Do not wait 6 to 9 months for vendor patches to protect your infrastructures and assets from critical vulnerabilities.

So, VUPEN will "protect" your private company from exploits it knows about but won't pass on to vendors until it's managed to sell enough protection plans. Your company wouldn't need to "wait 6 to 9 months" for vendors to patch products if VUPEN and others would turn these over to them sooner. But that's not part of the business plan. There's nothing wrong with a company trying to make money, but hoarding exploits and selling protection against them seems to run very close to extortion. It's like selling home security while running a gang of thieves on the side.